Stochastic Formal Methods: 
An apphcation to accuracy of numeric software 
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Abstract — This paper provides a bound on the number of 
numeric operations (fixed or floating point) that can safely be 
performed before accuracy is lost. This work has important 
implications for control systems with safety-critical software, as 
these systems are now running fast enough and long enough 
for their errors to impact on their functionality. Furthermore, 
worst-case analysis would blindly advise the replacement of 
existing systems that have been successfully running for years. 
We present here a set of formal theorems validated by the PVS 
proof assistant. These theorems will allow code analyzing tools 
to produce formal certificates of accurate behavior. For example, 
FAA regulations for aircraft require that the probability of an 
error be below 10~® for a 10 hour flight 

I. Introduction 

Formal proof assistants are used in areas where errors can 
cause loss of life or significant financial damage as well as 
in areas where common misunderstandings can falsify key 
assumptions. For this reason, formal proof assistants have been 
much used in floating point arithmetic [|]|, |Q, [^]. 
Previous references just link to a few projects using proof 
assistants such as ACL2, HOL [0], Coq [|] and PVS [|]. 

All these projects deal with worst case behavior. Recent 
work has shown that worst case analysis is meaningless for 
applications that run for a long time. For example, a process 
adds numbers in ±1 to single precision, and therefore has a 
round-off error of ±2^^^. If this process adds 2^^ items, then 
the accumulated error is ±1, and note that 10 hours of flight 
time at operating frequency of 1 kHz is approximately 2^^ 
operations. Yet we easily agree that provided the round-off 
errors are not correlated, the actual accumulated error will be 
much smaller. 

Developments in probability share many features with de- 
velopments in floating point arithmetic: 

1 ) Each result usually relies on a long list of hypotheses. No 
hypothesis can be removed, but slight variations induce 
a large number of results that look almost identical. 

2) Most people that use the results are not specialists in 
the specific field. They want a trustworthy result but 
they are not proficient enough to either select the best 
scheme or detect minor faults that can quickly lead to 
huge problems. 

For these reasons, we are strongly of the opinion that 
validation of a safety-critical numeric software using prob- 
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ability should be done using an automatic proof checker. We 
present in Section || the model that we are using. Section |l| 
presents our formal developments in probability. The Doobs- 
Kolmogorov inequality provides an effective way to compute 
the probability that a piece of software will successfully run 
within an acceptable error bound. 

This work is connected to continuous space Markov random 
walks or renewal-reward processes though these applications 
focus on asymptotic behavior JTc|], [[Til]. We want to precisely 
bound the probability of remaining within bounds for a given 
number of steps. This is connected to ruin probabilities [p^ 
and the Doobs-Kolmogorov inequality for martingales [|13|]. 
Related work on theoretic construction of the probability space 
using higher order logic can be found in [|l4ll, and 
references herein. In the rest of this text, we assume that the 
created round-off and measure errors are unbiased independent 
random variables or that their expectation conditional to the 
previous errors is zero. 

II. Stochastic model 

A. Individual round-ojf errors of fixed and floating point 
operations 

We are dealing with fixed or floating point numbers. A 
floating point number represents v — m x 2^^ where e is an 
integer and m is a fixed point number [[l6|]. IEEE 754 standard 
Jit] ] uses sign-magnitude notation for the mantissa and the 
first bit of the mantissa is implicit in most cases leading to 
the following definition where s and all the bi are either or 
1 (bits). 

V = (-1)" X l.bi---bp-i X 2^ 

Some circuits such as TMS320 uses two's complement nota- 
tion for m leading to the following definition [[T8|]. 

V = (l.fei • • -fop-i - 2 X s) X 2^= 

For both notations, we define for any representable number 
X, the unit in the last place function where e is the exponent 
of X as above. In fixed point notation, e is a constant provided 
by the data type. 

ulp(w) = 2'=-P+i 

A variable v is set either by an external sensor or by an 
operation. Trailing digits of numbers randomly chosen from 



a logarithmic distribution [[T^, p. 254-264] are approximately 
uniformly distributed [pO|]. So we can assume that if w is a 
data obtained by an accurate sensor, the difference between 
V and the actual value v is uniformly distributed in the range 
±ulp(u)/2. We can model the representation error w — w by a 
random variable X with expectation E(X) = and variance 
E(X^) — ulp(t;)^/12. The sensor may be less accurate leading 
to a larger variance but it should not be biased. 

Round-off errors created by operators are discrete and 
they are not necessarily distributed uniformly [21|. For each 
operator ® implementing the real operation we define 

X ®W -V *w 

where V and W are number distributed logarithmically over 
specified ranges. The distribution of X is very specific but 
we verify that the expectation is E{X) = and we bound its 
variance E{X^). 

Fixed point additions do not create any additional round- 
off error provided its output is in the same format as its 
inputs. Reducing the format of a fixed point number creates a 
uniformly distributed round off error provided the input was 
logarithmically distributed [EOp. 



Lis ting 2. Solving initial value problem ordinary differential equations 



B. Round off errors of an accumulation loop 

We will use two examples. The first one is given in listing |] 
It sums data produced by a fixed point sensor Xi with a 
measure error Xi. 

Listing 1. Simple discrete integration from [^] 



1 ao = 

2 for (i = ; 

3 a^+i = ai - 



I < n; 



We can safely assume that Xi are independent identical 
uniformly distributed random variables over ±ulp(a:i)/2. Data 
are fixed point meaning that the sum + Xi does not 
introduce any rounding error and the weigth of one unit in 
the last place does not depend on Xi so we write ulp instead 
of ulp(a;i). After n iterations, we want the probability that 
the accumulated measure error have always been constrained 
into user specified bounds e. Using the Doobs-Kolmogorov 
inequality of Theorem ^ where Si — X)j=i have that 

mg,J|S.|) 

The second example is given in listing ^ It solves initial 
value problem (IVP) ordinary differential equations (ODE) by 
computing an incremental slope ^{ti, hi,Xi, f) based on the 
current time ti, the current step size hi, the current value of 
the function Xi and the differential equation x'{t) = f{t, x{t)). 
The function $ may be very simple using Euler's explicit 
method or more complex using any Runge-Kutta method or 
any implicit method. We focus here on scalar ODEs although 
our analysis may apply to vectors. Line 4 assume for the 
sake of simplicity that hi is a constant although this is not 
neccessary. 



1 for (i = 0; i<n; i = i + l) { 

2 Xi+i = Xi + hi X ^{ti,Xi,hi, f) 

3 ti+i = ti + hi 

4 hi+i = hi 



Our first guess was to introduce a sequence of random 
variables {X^} that models the difference introduced by 
round-off errors at step i. In most cases, $ introduces a drift 
due to higher order effect of random variables and a drifted 
correlation between the error introduced at step i + 1 and errors 
on the previous steps. For example, the square of a rounded 
value V + V where v is the stored value and is a random 
variable, introduces a positive drift due to term that is 
always positive. So we model the effect of the round-off error 
by two terms Xi and Yi. We use the Doobs-Kolomogorov 
inequality of Theorem || for the sequence and worst 

case error analysis for the sequence {F„} setting the following 
conditional expectation 

E(X„;Xi..-X„_i) = 0. 

Random variables Xi^i and Yi+i account for the round-off 
and propagated errors introduced by replacing 

X., + Xi + Y^ + hi X ^{U,x., + X, + Yi,h,, /) 



with 



x^ ® hi ® ^{U,x^, hi, /) 



where $ is evalaution of $ in computer. First order effect of 
round-off errors created are accounted in X^+i. Higher order 
effect of round-off errors created and propagated effect of Xi 
and Yi in $ are accounted in F^+i. 

{Xn} is constructed to contain only independent random 
variables with no drift E{Xi) = and we only need to bound 
their variance M{Xf). We will do worst case analysis on {Yn} 
and we bound each Yi with interval arithmetic Software 
such as Fluctuat [ ^ ] is already able to distinguish between 
first order and higher order error terms. 

III. Probability distribution of being safe 
A. Probability 

We have two main choices in presenting an account of 
probability: one is to take an informal approach, the second 
involves taking foundational matters seriously. In this paper we 
will consistently try to present matters informally except for 
Section III-B, however the reader should be aware that the PVS 



system underlying these results is built on the firm foundations 
for probability theory (using measure theory) [|6|], [|27|]. A 
middle way between extreme formality and an accessible level 
of informality is to be found in [pj|]. 

We begin by defining the distribution function of a random 
variable. 

Definition 1: A random variable X has distribution func- 
tion F, if P{X <x)^ F{x) 



As we will be studying continuous random variables, these 
are defined as follows: 

Definition 2: A random variable X is continuous if its 
distribution function can be expressed as 



Fix) 



f{x)dx 



for some integrable function / : R [0, oo). We call the 
function / the probability density function for the random 
variable X. 

As an example of a continuous random variable, consider the 
temperature T at a certain point in an industrial process. Even 
if an attempt is being made to hold this temperature constant, 
there will be minor fluctuations, and these can be modeled 
mathematically by assuming that T is a continuous random 
variable. 

The other concept we will need is that of dependent 
and independent random variables. Suppose we model the 
outcomes of the tossing of two coins Ci and C2 by random 
variables. Provided there is nothing underhand going on, we 
would expect the result of tossing the first coin to have no 
effect on the result of the second coin, and vice versa. If this 
is the case, then we say that Ci and C2 are independent. 
Consider an alternative scenario in which having tossed the 
coin Ci and discovered that it has come up "heads", and we 
now define the random variable C2 to be: the outcome: "the 
downward facing side of the coin Ci is tails". In this case the 
random variables Ci and C2 are dependent. 

The other idea we must address is that of conditional 
probability. 

Definition 3: We define the probability of "A given B" 
(written P(A; B)) as: 



"{A n B) 



B)^ 



whenever P(B) > 0. 

As an example: if event A is "I am carrying an umbrella" and 
event B is "it is raining", then Pr{A; B) is the probability 
that "I am carrying an umbrella given that it is raining". 
Note that although in general P(A; B) ^ P(i?; A), in this 
particular case, if you live in Perpignan or Manchester, then on 
most days: P(A; B) = P(i?; A), though for rather different 
reasons. 

B. A Formal Development of probability 

Definition 4: A a-algebra over a type T, is a subset of 
the power-set of T, which includes the empty set {}, and is 
closed under the operations of complement, countable union 
and countable intersection. 

If T is countable - as it is for discrete random variables - 
then we may take cr = p(T); if the set T is the reals - as it 
is for continuous random variables - then we make a = B: 
the Borel sets. 

Definition 5: A Measurable Space (T, cr) is a set (or in PVS 
a type) T, and a a-algebra over T. 



Definition 6: A function ^ : a ^ R>o is a Measure over 
the <T-algebra cr, when /x({}) = 0, and for a sequence of 
disjoint elements {En} of cr: 



' OC \ 00 

\JeA = Y.^i{E,. 

,n=0 / n=0 



)• 



Definition 7: A Measure Space (T, cr, ^) is a measurable 
space (T, a) equipped with a measure ^. 

Definition 8: A Probability Space (T, cr, P) is a measure 
space (T, cr, P) in which the measure P is finite for any set in 
cr, and in which: 

fix") = 1 -P(X). 

The PVS development of probability spaces in Figure Q 
takes three parameters: T, the sample space, S, a cr-algebra of 
permitted events, and, P, a probability measure, which assigns 
to each permitted event in S, a probability between and 1. 
Properties of probability that are independent of the particular 
details of T, S and P are then provided in this file. If we 
wished to discuss continuous random variables then we would 
partially instantiate this PVS file with T = real, and S = 
borel_set. If we go further and also specify P, we will 
have described the random variable distributions as well. Of 
particular interest later is the fact that the sum of two random 
variables is itself a random variable, and consequently any 
finite sum of random variables will be a random variable. 

Definition 9: If (Ti, cti, Pi) and {T2, 0-2, P2) are probability 
spaces then we can construct a product probability space 
(r3,a3,P3), where: 



0-3 



Ti X T2 
a{ai X 0-2) 
Pi(a)P2(6) 



where P3 is the extension of P3 that has the whole of cr3 as 
its domain. 

Note that the product probability P3 has the effect of 
declaring that the experiments carried out in probability spaces 
(TijCrijPi) and (r2,o'2,P2) are independent. Obviously, the 
process of forming products can be extended to any finite 
product of finitely many probability spaces. Currently, it is not 
clear whether PVS is powerful enough to capture the notion of 
a countably infinite sequence of random variables {Xn}'^^i', 
fortunately, in this work we don't currently require this result. 

In Figure |[ we define the conditional probability P(A; B) 
(written P (A, B) as PVS will not permit the use of ";" as an 
operator). We take the opportunity to prove Bayes' Theorem 
along the way. 

C. Continuous Uniform Random Variables 

If X is a continuous random variable distributed uniformly 
over the interval [a,b], then informally it takes any value within 
the interval [a, b] with equal probability. 

To make this more formal, we define the characteristic 
function of a set S as the function xs, which takes the values 
1 or depending on whether it is applied to a member of S. 



probability_space [T : TYPE+, (IMPORTING f inite_measure@subset_algebra_def [T] ) % sample space 

S : sigma_algebra, (IMPORTING probability_measure [T, S] ) % permitted events 

P : probability_measure % probability measure 

] : THEORY 

BEGIN 

IMPORTING f inite_measure@sigma_algebra [T, S ] , probability_measure [T, S] , continuous_f unctions_aux [real ] 

A,B: VAR (S) 
x,y: VAR real 
nOz: VAR nzreal 
t: VAR T 
n: VAR nat 

null? (A) :bool = P (A) =0 

non_null?(A) :bool = NOT null? (A) 

independent? (A, B) :bool = P (intersection (A, B) ) = P (A) * P (B) % Note that it DOES NOT say = 
random_variable? (X: [T->real] ) :bool = FORALL x: member({t I X(t) <= x},S) 
zero: (random_variable?) = (LAMBDA t: 0) 

random_variable : TYPE+ = (random_variable?) CONTAINING zero 

X,Y; VAR random_variable 

XS : VAR [nat->random_variable] 



<=(X,x) : (S) = {t 



X(t) <= x}; % Needed for syntax purposes! <>=/=>= omitted 



complement_lel : LEMMA complement (X <= x) = (x < X) 

complement_ltl : LEMMA complement (x < X) = (X <= x) 

complement_eq : LEMMA complement (X = x) = (X /= x) 

complement_lt2 : LEMMA complement (X < x) = (x <= X) 

complement_le2 : LEMMA complement (x <= X) = (X < x) 

complement_ne : LEMMA complement (X /= x) = (X = x) 



(X) 



: random_variable = (LAMBDA t: -X(t)); % Needed for syntax purposes! + - * / omitted 



+(X,Y) : random_var iable 
-(X,Y) : random_variable 



(LAMBDA t: X(t) + Y(t)); 
(LAMBDA t: X(t) - Y(t)); 



partial_sum_is_random_variable ; 

LEMMA random_variable? (LAMBDA t: sigma ( , n, LAMBDA n: XS(n) (t) ) ) 

distribution_f unction? (F : [real->probability] ) ;bool 

= EXISTS X: FORALL x: F (x) 



distribution_f unction : TYPE + 



P (X <= x) 

(distribution_f unction?) CONTAINING 

(LAMBDA x: IF x < THEN ELSE 1 ENDIF) 



distribution_f unction (X) (x) :probability = P (X <= x) 

F: VAR distribution_f unction 

convergence_in_distribution? (XS,X) :bool 

= FORALL x: continuous (distribution_f unction (X) , x) IMPLIES 

convergence ( (LAMBDA n: distribution_f unction (XS (n) ) (x) ) , 

distribution_f unction (X) (x) ) 

invert_distribution ; LEMMA LET F = distribution_f unction (X) IN 

P (x < X) = 1 - F (x) 
interval_distribution : LEMMA LET F = distribution_f unction (X) IN 

X <= y IMPLIES 

P (intersection (x < X, X <= y) ) = F (y) - F (x) 
limit_distribution : LEMMA LET F = distribution_f unction (X) IN 

P (X = x) = F(x) - limit(LAMBDA n: F (x-1/ (n+1) ) ) % Lemma 2.1.11-c (G&S) 



% Lemma 2.1.11-a (GSS) 



% Lemma 2.1.11-b (G&S) 



distribution_0 : LEMMA convergence (F o (lambda (n:nat) : -n),0) 

distribution_l : LEMMA convergence (F, 1) 

distribution_increasing: LEMMA increasing? (F) 

distribution_right_continuous : LEMMA right_continuous (F) 
END probability_space 



% Lemma 2 . 1 . 6-aO (G&S) 
% Lemma 2.1.6-al (G&S) 
% Lemma 2 . 1 . 6-b (G&S) 
% Lemma 2.1.6-c (GSS) 



Fig. 1. Abbreviated probability space file in PVS 
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S : sigma_algebra, (IMPORTING probability_measure [T, S] ) 

IT . ^ J_ IJJ^ClUX X X L. y ILLtJClO LiJ- t; 

] : THEORY 


) % sample space 
% permitted events 

Sr V\ y~f~\\'\^ Vi"! 1 "i'l"'\7 rTici^C!nT*ci 

O ^ J- KJXJCLyj J. J. J. \^ y ILLtJClOLlXt; 


BEGIN 




IMPORTING probability_space [T, S, P] , f inite_measure@sigma_algebra [T, S] 




A, B: VAR (S) 
n , i , j : VAR nat 




P (A, B) :probability = IF null? (B) THEN ELSE P {intersection (A, B) ) /P (B) ENDIF 




P(A, B) * P (B) + P (A, complement (B) ) * P (complement (B) ) = P (A) 




conditional_partition : LEMMA 

Union (image (BB, fullset [below [n+1] ]) ) = fullset [T] IMPLIES 
P (A) = Sigma (0,n, LAMBDA i: P (A, BB(i)) * P(BB(i))) 




bayes_theorem: THEOREM 

NOT null? (B) AND 

Union (image (AA, fullset [below[n+l] ]) ) = fullset [T] IMPLIES 
P(AA(j),B) = P (B,AA( j) ) *P (AA( j) ) / 

sigma(0,n, LAMBDA i: P (B, AA(i)) * P(AA(i))) 




END conditional 





Fig. 2. Conditional probability file in PVS 



Xs{x) 



Definition 10: 

1 xeS 
x^S 

Now the probability density function / of the uniform random 

variable over the closed interval [a, b] is ^^X(a,5]- From this 
we can calculate the distribution function: 



F{x) = r f{x)dx, 

J —oo 



from which we can calculate the probability 

P(a; <X <=y) = F{y) - F{x). 

In the case where X is distributed J7[o,i], and because - for 
any f{x) with J f = F - we have 

D 

f{x)Xia.b]i^)dx = 

O 

(F(x) - F(a))x(a,h](x) + (F{b) ~ F{a))xit,oo){x). 

We also observe that if X is distributed C^[o,fc]> then E{X) = 
and Var(X) = i^^. So, with a = 0, 6 = 1 we gel: 



D. Sums of Continuous Random Variables 

Definition 11: If we have a sequence of continuous random 
variables {X„}, then we define their partial sums as a se- 
quence of continuous random variables {Sn} with the property 

n 

Sn = Xi. 



Theorem 1: If continuous random variables X and Y have 
joint probabihty density functions /, then Z = X + Y has 
probabihty density function: 



fz{z) = 1 fix, z - x)dx. 

J —oo 

In the special case where X and Y are independent, then 
(because the joint probability density function f{x,y) can be 
expressed as the product fx {x)fY (y)) we have the Continuous 
Convolution Theorem: 

Theorem 2: If continuous random variables X and Y are 
independent and have probabihty density functions fx and fy 
respectively, then Z = X+Y has probability density function: 



fz{z) 



/CO 
fx 
-OO 



{x)fY{z — x)dx 



f 

J — ( 



fx{z-x)fY{x)dx. 



E. Reliability of long calculations 

What we are actually interested in is whether a series of 
calculations might accumulate a sufficiently large error to 
become meaningless. In the language we have developed, we 
are asking what is the probability that all calculations of length 
upto n is correct: 

max (l^il) < e 
i<i<?i 

Because they have nice convergence properties, we are 
especially interested in martingales 

Definition 12: A sequence {Sn} is a martingale with re- 
spect to the sequence {X„}, if for aU n: 

1) E{\Sn\) < oo; and 

2) E{Sn+l', Xi, X2, Xn) = Sn 



We first observe that the sec|uence Sn — Xl^j^^^ (^s pre- 
viously defined) is a martingale with respect to the sequence 

Lemma 1: The sequence {S*,!}, where Sn = ^^^iXi, and 
each Xn is an independent random variable with E(X„) = 0, 
is martingale with respect to the sequence {Xn}. 
Alternatively as could be needed for program ||: 
Lemma 2: The sequence {S*,!}, where Sn — X]r=i -^i^ ^'^'^ 
{Xn} satisfies for all i 

E(XO = 
E(X,; Xi---X,_i) = 0, 

the sequence {Sn} is martingale with respect to the sequence 

{Xn}. 

We now make use of the Doobs-Koknogorov Inequality 
presented Figure ^ The statement of Theorem |3] is deceptively 
simple. The key as the astute reader will observe is that we 
have a restricted form of the Doobs-Kolmogorov Inequality 
in which the sample spaces of the underlying sequence of 
random variables are identical. This is an artifact of the PVS 
type system which would require us to prove multiple version 
of the theorem at each tuple of instantiated types. 

Although the type system used in PVS is extraordinarily 
flexible, it is not as malleable as that used by professional 
mathematicians. To capture mathematics in its entirety using 
a theorem prover, we would need to dispense with any form 
of type checkingQ For its intended use as an aide to proving 
programs correct, this would fatally weaken PVS as a useful 
tool. In addition, in many practice areas of mathematics, the 
full generality of categorical constructs is an unnecessary 
luxury, albeit one with a seductive, siren-like, appeal. 

Theorem 3 (Doobs-Kolmogorov Inequality): If {Sn} is a 
martingale with respect to {Xn} then, provided that e > 0: 

pf max(|5.|)>e) < \nsl) 

\ l<i<n J e 

In our particular case where each X, is an independent 
random variable with E(Xi) = 0, and Var(X,;) = of, we 
observe that 

^ ^ i=i 

The short conclusion is therefore that eventually errors will 
accumulate and overwhelm the accuracy of any numerical 
software. However, if e is large enough and each of the of are 
small enough, then the number of iterations required for this 
to occur will be high enough to be of no practical significance. 
Crucially, the results hinge critically on the errors {X„ } being 
independent. 

IV. Future work 

This work will be continued in two directions. The first 
direction is to modify Fluctuat to generate theorems that can be 
checked automatically by PVS using ProofLite| as proposed 

' A weak form of type consistency is used in category tlieory, but this is so 
we ak that we can introduce the Russel Paradox. 

^http://research.nianet. org/ --munoz /Proof Lite/ 



in [^, This work will be carried in collaboration with 
the developers of Fluctuat. The software will conservatively 
estimate the final effect of the error introduces by each 
individual floating point operations and compute upper bounds 
of their variances. 

The second direction is to develop and check accurate proofs 
about the round-off errors of individual equations. A uniformly 
distributed random variable whose variance depends only on 
the operation and the computed result might provide a too 
pessimistic bound. For example the floating point addition of 
a large number with a small number absorbs the small number 
meaning that the round-off error may be far below half an ulp 
of the computed result. 

Two's complement operation of TMS320 circuit can either 
round or truncate the result. If truncation is used, it introduces 
a drift and Doobs-Kolmogorov inequality for martingales can- 
not be used. Should we wish to extend this work to account for 
drifts (non-zero means for the random variables {X„}), then 
we anticipate making use of Wald Identity. Such developments 
will also be necessary to address higher order error terms that 
introduce a drift. 

This library and future work will be included into NASA 
Langley PVS library]^ as soon as it becomes stable. 

We saw with the example of listing || that inductions on the 
variances of the random variables can be crudely bounded. 
Yet, we may expect tighter results if we use tools that are 
able to infer inductions and solve them mathematically but 
this domain is far from the authors' research areas. 

V. Conclusions 

To the best of our knowledge this paper presents the first 
application of the Doobs-Kolmogorov Inequality to software 
reliability and the first generic formal development able to 
handle continuous, discrete and non-continuous non-discrete 
random variable for PVS. Previous developments in higher 
order logic where targeting other applications and using Coq, 
HOL or Mizar proof assistants (see [Q, [jlj] and references 
herein). In addition, we have demonstrated a slightly weaker 
version of this result in PVS. We claim that the utility of 
this weaker result is not unduly restrictive, when compared to 
the general result. The major restriction lies in the fact that 
we have to demonstrate that a sequence of overall errors is 
martingale with respect to the sequence of individual errors. 
We have been forced to make simplifications to the mathe- 
matical model of our software to ensure that this is the case. 
In particular, we have been forced to insist that our individual 
errors have no drift, and are independent. 

We have been surprised that the limit on the reliability of 
a piece of numeric software could be expressed so succinctly. 
Notice that even with a high tolerance of error, and with 
independent errors, we will still eventually fail. Our results 
permit the development of safe upper limits on the number 
of operations that a piece of numeric software should be 
permitted to undertake. 

-^ ht.t.p: //RhfTTif Rh ■ 1 arr,^ asa.gov/fm/ftp/larc/ 
PVS-library/pvslib . html. 
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S : sigma_algebra, (IMPORTING probability_measure [ T, S ] ) 
] : THEORY 


) % sample space 
% permitted events 

'5 p ob sfci 1 1 1 1 y mSfiSU-ITS 


BEGIN 




IMPORTING probability [T, S, P] , martingale, reals@bounded_reals 




epsilon: VAR posreal 

A , o . V rtr\ [iiac — r ai 1 uoiri va r i ajj ± e j 

pn : VAR posnat 




doobs_kolmogorov: THEOREM martingale? (X, S) IMPLIES 
P (max (image (abs o S , below (pn) ) ) >= epsilon) 
<= E (sq(S (pn) ) ) /sq(epsilon) 




END doobs 





Fig. 3. Doobs-Kolmogorov inequality in PVS 



It is worth pointing out that violating our assumptions 
(independence of errors, and zero drift) would lead to worse 
results, so one should treat the limits we have deduced with 
caution, should these assumptions not be met. 
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